opensaml

Hello I have this XML as a SAML2 Response from my IDP: <Assertion ID="_97031c65-0139-4047-a416-9495df5d6ed7" IssueInstant="2016-10-26T07:45:43.438Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"> <Issuer> </Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /> <ds:Reference URI="#_97031c65-0139-4047-a416-9495df5d6ed7"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09

is the SAML protocol (Sing Sign ON) used soley for web apps and web services, or is it also used for standard applications? REVISED: I am looking for some windows (Standard Applications (not web based)) protocols for Single Sign On If you are looking at Windows specifically, why not use Kerberos and Integrated Windows Authentication? It's built into Active Directory and Domain Controllers. It doesn't really work once you start crossing into the Internet and different security domains but it works well behind your firewall in a corporate environment. However, SAML can be used for desktop

When using OpenSAML 3, you must first load components from the opensaml-saml-impl artifact with the following line of code: InitializationService.initialize(); This uses java.util.ServiceLoader to load any type which implements Initializer . When I write a test and run it with mvn integration-test , this works fine, and I can see that everything has loaded: Assert.assertTrue( XMLObjectProviderRegistrySupport .getUnmarshallerFactory() .getUnmarshallers() .size() > 400); However, my project uses maven-shade-plugin . The condition above is not true if I package the code into an uber-jar: mvn

Does anyone know if there is any documentation for OpenSaml3 anywhere? Paid or otherwise? I know there used to be a $15 book available, but I believe that only covers OpenSaml2. I know this will probably get voted down as it not a programming specific question, but Spring-Saml lists SO as it's primary forum now ( http://projects.spring.io/spring-security-saml/ ). SAML is a pain to implement without a good library and I think that Spring-SAML is the best thing available to someone writing on the JVM. Since Spring-Saml looks to be abandoned and with OpenSaml2 coming to end-of-life soon. I would

I implement a SAML SP in Java. I send an AuthnRequest to SAML 2.0 IDP and gets an encrypted response. My question is: How do I make sure that the response indeed comes from the IDP and not from a hacker? It is not enough to validate the signature, since this only tells me that the sender has a matching pair of private/public keys, but it could be anyone. So, I need the IDP to supply me in advance a certificate which I upload to a jks file, and compare it each time to the certificate I extract from the ds:X509Certificate element of the response. Now, is there a standard way of comparing the

I am attempting to implement SAML 2.0 by signing the response, instead of the Assertion. I have 3 existing vendors that accept my signature at the Assertion level, however a new vendor is requesting it at the protocol / response level. I have been Googling and debugging for about 8 hours, and cannot find a valid example of what I am doing wrong. My code below shows clearly what I am doing, and the last 10 lines or so of it are the differences that I have implemented (within the if / else). Also, I noticed in my XML that my SignatureValue and DigestValue are both empty. Can anyone point me

Should a SAML federation software accept the same SAML response as long as it is within the allowed SAML token lifetime? In simpler terms: IDP (identify provider) issues a SAML response, then SP (service provider) accepts/processes it. Can the same unmodified SAML response be then re-used immediately after the first use? Given that the SAML issuance timestamp is within allowed range. Security-wise it makes sense to restrict a SAML token (response) to only one use, so that even if it is stolen by a "man-in-the-middle" - it cannot be reused. But in order to implement that, the software needs to